[27847] in Kerberos
Re: Use ssh key to acquire TGT?
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Fri Jun 1 09:34:57 2007
Message-Id: <200706011333.l51DXvgl006158@ginger.cmf.nrl.navy.mil>
To: kerberos@mit.edu
In-Reply-To: <x33b1c9r4l.fsf@nowhere.com>
Date: Fri, 01 Jun 2007 09:33:58 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>One of these days I'm going to request (for HCOOP) crossrealm trusts
>with the top 10 computer science universities in the USA [*] and
>document (a) my success rate, (b) how many emails it took, and (c) how
>many months from first request to working trust entry. Hopefully a
>published case study like this will get people to stop pretending that
>crossrealm is actually a legitimate general-purpose solution.
I may be an extreme case, but I have 20 cross-realm keys. But I
understand your point ... considering all of the confusion about
cross-realm authentication and what it means, sometimes it can be very
hard to convince the right person to make it happen. And I see from my
list of realms I cross-realm with that it's all based on personal
relationships I have with the admins of those realms. If I wanted to
cross-realm with, say, Stanford (who we don't currently cross-realm
with) I assume I could just call Russ and we'd take care of it in a few
minutes. Or maybe not :-) But a cold-call for doing Kerberos cross-realm
would be a bit of a challenge.
One suggestion? One-way cross-realm (cross-realm into your realm) might
be easier to swing.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
